Protection of privacy is a primary consideration for Merito Global Resourcing Services (“MGRS”).
Our Privacy Policy applies to physical persons and aims to explain clearly and simply to you - as a client, a potential client, a person connected to a client or to a potential client (for example, as a representative of a client or a beneficial owner of a client who is a legal entity or of an operation), a visitor on our website - how we collect, use and store your personal data.
This Policy applies both to data which are initially collected when you contact a member company of MGRS and data which are later obtained by MGRS (for example, when request for an additional service, or when you update data that you have initially provided).
Your data are currently processed in compliance with the law, which is currently the Regulation (EU) No 2016/679 of 27 April 2016, the General Data Protection Regulation, known as "GDPR", or any piece of legislation amending it. For more detailed information about data protection, please visit the CNPD website (https://cnpd.public.lu/en/legislation/droit-lux.html).
This policy is updated regularly. Please check our website regularly to find out which version currently applies.
1. Who are we?
The “MGRS” brand refers to a group of legal entities
MERITO GLOBAL RESOURCING SERVICES (MGRS) S.à.r.l., approved by the Luxembourg authorities and monitored by the Ordre des Experts-Comptables de Luxembourg (“OEC”) (RCS Luxembourg B208165),
MERITO GLOBAL RESOURCING SERVICES BELGIUM SRL, approved by the Belgian authorities and monitored by the Institute for Tax Advisors and Accountants (« ITAA ») (CBE 0791.326.691),
Our contact details are as follows:
MERITO GLOBAL RESOURCING SERVICES (MGRS) S.à.r.l.
19, rue Eugène Ruppert
L-2453 Luxembourg
Tel. +352 27 02 96 87
We make every effort to comply with current data protection legislation and implementing measures, supervised by the CNPD.
If we outsource services to our specialist partners to act as data processors, they must comply with our data protection policy and fulfil their legal obligations in this respect. We endeavour to protect your personal data with the appropriate provisions in our agreements with data processors and any other parties who may assist us with processing your personal data, or with whom we share your information.
2. Data subjects
MGRS processes the personal data of individuals or legal entities with whom it has or may have a direct or indirect relationship.
Customers
As a data controller, MGRS processes the personal data relating to every (co-)signatory of an agreement, their representatives, beneficiaries or any other persons acting as representatives thereof. Regarding legal entities, MGRS, shall, as required, process the personal data of any persons associated with a legal entity, such as representatives, managers, directors, employees and their beneficial owners.
External service providers and sub-contractors
In order to provide the service/fulfil the assignment in question, MGRS may have to process personal data relating to its external service providers or sub-contractors, representatives thereof and/or employees who may interact with MGRS, subject to legal and/or contractual requirements or when necessary.
Visitors
MGRS collects and processes the personal data of those who visit the website or physical premises.
Third parties
Depending on the circumstances, MGRS may process the data of third parties who are linked to the customer. Customers who send MGRS personal data concerning third parties, such as their family members, friends, beneficiaries, representatives or employer and their representatives or their beneficial owners, shall inform these third parties that their data may be processed by MGRS, and also that this Policy exists.
Prospective or potential customers who display an interest in MGRS’s products and services
As part of its activities and subject to legal and/or contractual requirements, MGRS may keep, use and process personal data regarding prospective or potential customers who display an interest in the group’s products and services.
3. Nature of the personal data processed:
As part of its commercial activities and depending on the purpose, MGRS may collect and process different categories of personal data. This might be data that identifies you directly or indirectly.
The different types of personal data that we normally collect are as follows:
- Identification and administrative data: your surname, first names, address, ID card number, email address, telephone numbers, your age, gender, date of birth, place of birth, marital status and nationality, etc.;
- Professional data: job title, company, etc.;
- Financial data: your invoices, payslips, income, the value of your property, the source of your funds or assets, tax information, transaction data, etc.;
- Household composition data: your family circumstances, details about other people in the household, etc.;
- Data related to your investor profile: your knowledge and experience of financial instruments and your financial situation, including your ability to bear losses, your investment objectives and your risk tolerance;
- Digital data: records of emails sent, IP address, cookies that are strictly necessary for the website to function correctly, etc.;
- Environmental data: characteristics, habits, information on social media, etc.;
- Data obtained from third parties: data supplied by public authorities.
We do not process sensitive data, including personal data revealing racial or ethnic origin, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health-related data or data concerning a person’s sex life or sexual orientation.
Nevertheless, we may, in the context of certain legal obligations and when necessary, process data related to convictions and offences and the holding of public/political office.
4. When and how do we collect this data?
MGRS may collect this personal data in the following situations:
When you become a customer and you send us your personal data yourself by any means, or when a third party or your advisor sends us your details, including prior to entering into an agreement;
- When you have made your personal data public by any means;
- When MGRS obtains data from external sources in the context of monitoring measures in respect of the fight against money laundering and terrorist financing (such as UN/EU consolidated sanctions list, OFAC, HM Treasury, SECO, Rosfinmonitoring, Interpol);
- When you visit our website;
- When you visit our premises or contact our departments by telephone;
- When you complete one of our forms or sign an agreement with a company within MGRS.
5. Purposes of the personal data processing
MGRS may process personal data pursuant to applicable law and solely for the following purposes (collectively, the “Purposes”):
- To supply professional services, including:
- Auditing and insurance;
- Tax, accounting and reporting (tax advice, consolidation, global tax compliance, tax services for individuals, accounting and bookkeeping, setting salaries, employment contracts, etc.) and
- Consultancy (advice, corporate finance, individuals and organizations, regulations and compliance, technology, etc.);
- Coaching and HR consultancy;
- Assistance with property matters (finding property/offices, advice, lease, etc.).
- Maintaining administrative and customer/supplier relationship management systems, in particular:
- issuing proposals/bids and drafting contracts;
- monitoring and managing customers/suppliers;
- invoicing and paying invoices;
- advertising, communication and public relations;
- organizing events;
- quality inspections; and
- improving the customer or user experience and personalizing the provision of services.
- Applying acceptance and ongoing support procedures (including the fight against money laundering, corruption and terrorist financing);
- Facilitating compliance with legal, regulatory, professional and/or contractual obligations (including independence and archiving requirements);
- Maintaining and protecting buildings, equipment, IT infrastructure and data (including access and authentication management, security and performance monitoring, etc.);
- Maintaining the continuity of operations;
- Managing risks and disputes;
- Processing applications from data subjects; and/or
- Managing websites.
6. Legal basis
6.1 Legal obligations
The companies within MGRS are bound by a number of legal and regulatory obligations requiring the processing of your data. These obligations fall mainly under the following legal and regulatory domains:
- The obligation to respond to any legitimate request from a public, legal, supervisory review or tax authority based in Luxembourg or abroad;
- The obligation to assist with the prevention of money laundering and the financing of terrorist activities, by identifying customers, representatives and beneficial owners, profiling and monitoring operations and transactions.
- The obligation to comply with legislation on embargoes decided by the competent authorities in Luxembourg or abroad, against individuals, organizations or nationals of certain States, including by identifying the persons and assets concerned;
- The obligation to save and archive certain types of data.
The list of legal and regulatory areas by virtue of which companies in MGRS process your data is non-exhaustive and may change.
As regards its legal obligations relating to the fight against money laundering and terrorist financing, MGRS performs automatic checks, using external sources or data that is specifically requested from you. Such automatic checks may subsequently lead to a refusal to enter into contract, or a request for additional information, as the case may be, but in any case, human intervention will validate the decision.
6.2 Contractual relationships
Before concluding contracts/letters of engagement, companies in MGRS may and, in some cases, must obtain and process certain types of data, in particular in order to:
- Answer your questions;
- Respond to a request/application, assess its advisability and evaluate the risks related to a potential contract/letter of engagement.
6.3 Legitimate interests
MGRS also processes your data in its own legitimate interests. To this end, MGRS ensures that it maintains the proper balance between the need to process data and respect for your rights and freedoms, in particular the protection of privacy.
Personal data is thus processed for:
- The organization of promotional events;
- The organization of themed conferences.
6.4 Consent
In some cases, MGRS will process your personal data only if it has specifically obtained your consent in this regard.
As an example:
MGRS will not send you advertising communications by email or text message and will only process your electronic communication data for that purpose if you have specifically consented thereto (see 6.5).
Important: your consent is required only for communications of a commercial nature by email. In any case, we reserve the right to contact you through all communication channels and, in particular, by email in performance of your contract or if the law obliges us to do so.
6.5 Commercial prospection
MGRS offers you a wide range of products and services, and as a company, it has a legitimate interest in being able to inform you of the products or services that it provides or promotes. In this regard, it may sometimes use your personal data, and in particular your contact details, to send you communications of a commercial or informative nature.
In practice, this means that you may be contacted, for example, in the following cases:
- About products in which you have expressed an interest (for example by registering for an information session);
- When MGRS launches new products or services;
- When you have initiated the process to subscribe to a product or service and have not completed that process.
For the purposes of such prospection, MGRS may contact you by traditional methods such as the telephone or ordinary post. MGRS will only use such traditional communication methods if you have not exercised your right to object to the use of your data for direct marketing purposes (see 12.6).
MGRS may also contact you by electronic means (email, fax or text message). It will, however, only do so if you have expressed your agreement in this regard.
Under no circumstances will MGRS communicate your data to third parties to enable them to send you marketing communications regarding their own products and services. Moreover, MGRS never processes sensitive data for marketing purposes.
Lastly, MGRS does not use profiling or similar identification technologies.
7. MGRS acting as processor
As a processor, MGRS undertakes to only process personal data upon lawful and documented instructions from the data controller, included in the contractual documents applying to the services and in this information notice, and undertakes to ensure that its employees authorized to access personal data are subject to an appropriate confidentiality obligation. To avoid any ambiguity, this notice is designed to meet the requirements of Articles 28 and 29 of the General Data Protection Regulation.
MGRS makes available to the data controller the legal information necessary to demonstrate compliance with the obligations laid down in this notice. The data controller may perform audits and inspections, to the extent that the law allows them to do so, subject to reasonable advance notice. Audits/inspections are carried out during normal opening hours of MGRS and no more than once a year. MGRS hereby informs inspectors that audits/inspections may not infringe the legal, regulatory and contractual obligations incumbent upon MGRS, such as professional secrecy. Consequently, the data controller and the latter’s potential auditors are not authorized to access (i) data or information relating to other customers of MGRS, (ii) any data exclusive to MGRS or (iii) any other confidential information held by MGRS which is not relevant or strictly necessary for the purposes of the audit/inspection.
MGRS assists the data controller by taking the appropriate technical and organizational measures according to the nature of the processing, to the extent possible, that are necessary in order to meet the data controller’s obligation:
- Replying to data subjects’ requests to exercise their rights, as defined in this notice;
- Carrying out and/or assisting the data controller with data protection impact assessments as laid down in Article 35 of the GDPR and performing upstream consultations with a monitoring authority or other governmental authority where applicable laws so require;
- Serving notice of a breach of personal data on the competent monitoring authority and/or the data subject(s). To this end, MGRS shall immediately notify the data controller of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data; and
- Supplying information that the data controller reasonably requests to enable them to comply with their obligations by virtue of applicable law if the information requested is in the possession or under the control of MGRS and the data controller has no other reasonable way of obtaining such information.
If MGRS takes on other data processors to carry out specific processing tasks on the data controller’s behalf, it shall impose upon them the same data protection obligations as those set forth herein by means of a contract or other legal instrument by virtue of the laws of the European Union or of the Member States. Any change envisaged concerning the addition or replacement of such data processors shall be communicated to the data controller.
8. Obligations of customers
According to the aims sought, the provision of personal data is a legal and/or contractual obligation; failure to supply such personal data may render execution of services by MGRS impossible.
As an essential condition for providing services, MGRS considers that customers (and parties to an undertaking with MGRS, for which the customers concerned act as guarantors) will ensure that:
- Personal data that they supply (or to which they give access) to MGRS is accurate, appropriate, relevant and limited to the extent necessary to meet the specific aim for which it is disclosed, and is saved adequately in their systems;
- They comply with applicable law on personal data processing by MGRS (including the lawful nature of data supplied and, where applicable, the collection and management of consent of the data subject as a result thereof);
- Data subjects are informed of conditions and methods according to which their personal data is processed by MGRS, as described in this notice, in the form required by applicable law; and
- They shall inform MGRS immediately if any of the above conditions ceases to be met.
9. Retention period
We make every effort not to retain your personal data beyond the period required for the processing for which it was collected. When assessing the period for which your personal data will be retained, we must also take into account the applicable regulatory requirements (for example: the requirements arising out of the law on the fight against money laundering and terrorist financing).
10. Data security
We take the appropriate technical and organizational measures to ensure that your personal data is adequately secured against accidental loss or disclosure to unauthorized persons.
We have put in place technical security measures in compliance with the international rules and standards in force in order to protect your personal data.
You can also ensure the security of your personal data by following this advice:
- Use the latest operating system on your computer and install all security updates;
- Use the most recent version of your browser and install all security updates;
- Install antivirus software, anti-spyware software and a firewall, and set your preferences so that these programs are regularly updated;
- Do not leave your device or connection equipment unsupervised;
- Ensure that your passwords are confidential;
- Connect only using a device that you trust and avoid using shared computers/devices for communications about sensitive transactions.
If you are unsure about a website, do not use it and do not enter codes/passwords.
Do not open email attachments that you are not expecting.
Emails may contain viruses or malware, even if you know the sender. Ensure that your antivirus software also checks attachments to your incoming email. Activate where applicable the email filter on your browser.
If you contact us with a question relating to the execution of instructions, we will ask you personal questions in order to identify you.
11. Who are the recipients of your personal data? To whom can your personal data be transferred?
At MGRS, your personal data can be accessed only by individuals whose work requires access to that data.
In some cases, the law requires us to disclose your personal data to third parties:
- To Luxembourg or foreign tax authorities where MGRS is required to disclose the customer’s personal data;
- To public or judicial authorities such as the police, public prosecutors, courts, etc., and only when expressly requested by them;
- To lawyers (for example in the context of bankruptcy), notaries (for example when a company is incorporated), etc.
In some cases, MGRS enlists data processors to provide you with services that you have subscribed to, or to process your personal data. This may be, for example:
- Specialized financial sector suppliers who must also comply with their legal obligations as data processors or joint data controllers (for example: banking institutions, etc.);
- Service providers assisting us in:
- Designing and maintaining our tools;
- Marketing our activities, organizing events and managing customer communications;
- Developing and/or managing our products and services.
In that case, we ensure that such data processors only have access to the personal data necessary to complete the specific tasks requested. We also ensure that our data processors undertake to use the data in a secure and confidential manner, and use it in line with our instructions.
Under no circumstances will we sell your personal data to third parties.
12. Cross-border data transfers
In principle, MGRS never transfers personal data outside the EEE except:
- To countries that provide an adequate level of personal data protection as determined by the European Commission; or
- To recipients under an appropriate agreement containing the requirements of applicable law for such a transfer. A copy of the applicable safeguards can be requested from MGRS’s data protection officer.
13. What are your rights?
13.1 Right of access and rectification
You have the right to access your personal data. MGRS can inform you about:
- the nature of the personal data processed;
- the reasons why we collect your data;
- the categories of recipients of your personal data;
- how long your data will be kept;
- the reason for the potential automatic processing of your personal data;
- the source of personal data processed, if it was not collected from you.
If you find your data to be inaccurate or incomplete, you may ask us to rectify it.
We make every effort to ensure that your personal data is correct, up-to-date, complete and relevant. This is why we ask that you inform us of any changes (change of address, new ID card, acquiring a new nationality, etc.).
If we correct your data and we had previously shared it with a third party, we shall also notify the third party concerned.
13.2 Right to be forgotten
In certain specific cases, legislation enables you to have your personal data deleted.
This is the case namely if the data is no longer necessary for the purposes for which we collected it (for example, because you sent us your contact details in order to take part in an event which has ended), if the processing of your data is based exclusively on your consent which you have subsequently withdrawn, or if you have objected to the processing of your data and we have no legitimate reasons that prevail over your reasons.
However, MGRS may keep your personal data when it is needed to establish, exercise or defend its legal claims or for MGRS to meet its legal obligations. MGRS shall also be bound by the retention periods stipulated in various laws, namely when the data was collected in the context of our obligations in respect of anti-money laundering and anti-terrorist financing (see point 6.1).
13.3 The right to restrict processing
This particular right allows you to request that MGRS temporarily lock your data in specific cases set out by regulations: MGRS will then no longer be able to process your data at issue for a specified period of time.
Such locking may be requested:
- If the data in question is incorrect, incomplete, equivocal, or outdated, for the time necessary to enable us to check the accuracy of your data;
- If its collection, use, disclosure or retention is prohibited;
- If it is no longer necessary in relation to the purposes for which it was processed;
- For the period needed by MGRS to examine the well-founded nature of an objection.
If you have exercised this right, we may retain your personal data but we will no longer be able to process it except with your consent, or to establish, exercise or defend our rights (or those of another person).
13.4 Right to data portability
By virtue of this right, you can ask MGRS to send you your personal data or to send it directly to another data controller, where this is technically possible for MGRS. Said right concerns only data that you have supplied to MGRS yourself and which is the subject of automatic processing, on the basis of the contract or on the basis of your consent.
You can make a request by sending it to dpo@merito.lu
13.5 Right to withdraw your consent
If the processing of your personal data is based on your consent, you are entitled to withdraw such consent at any time. Said withdrawal shall not, however, call into question the lawful nature of the processing carried out in the period prior to your withdrawal of consent.
13.6 Right to object
You always have the right to object, without needing to provide grounds and free of charge, to the use of your personal data for commercial prospection purposes (see 15). In that case, your data will no longer be used for such purpose.
In addition, you are also entitled to object, for reasons relating to your own situation, to any processing of your personal data which is based on our legitimate interests. However, your request will not be acceded to if our legitimate interests prevail over your own, or if the processing of your data is required in order to establish, exercise or defend our rights in the courts.
14. How can you exercise your rights?
In order to exercise your rights, you can send us your request, dated and signed, accompanied by a legible recto/verso copy of your identity card, being as specific as possible:
By post to:
MGRS
c/o Data Protection Officer
19, rue Eugène Ruppert
L-2453 Luxembourg
par e-mail à :
Once your full request has been received, we will reply as quickly as possible and at the latest within one month.
Nevertheless, if your request is complex and requires a significant amount of resources, we may extend this to a two-month period, in accordance with Article 12.3 of the GDPR.
We may bill you a reasonable amount on the basis of administrative costs for any additional copy(ies) requested in respect of the exercising of your right to access your personal data, or if your request is manifestly unfounded or excessive.
15. How can you let us know that you no longer wish to receive marketing/commercial offers?
If you no longer wish to receive marketing offers from us or to limit them, you can let us know by writing to us by post or email as stated in point 13.6. You can, for example, ask us to send you only some of our newsletters or let us know your preferences in terms of method of communication.
16. Who should you contact in the event of a dispute?
If there is a dispute concerning the processing of your personal data, you can submit a request for mediation to the National Commission for Data Protection at the following address:
COMMISSION NATIONALE POUR LA PROTECTION DES DONNÉES
15, Boulevard du Jazz
L-4370 Belvaux
Tel: +352 2610601
Fax: +352 26106029
Special provisions apply to MGRS employees.
APPENDIX: Use of cookies and other technologies
MGRS uses cookies and similar identification technologies.
A cookie is a small data file copied onto your computer’s hard disk by a website. It records information concerning the browsing of a website by your computer (such as, for example, pages visited or date and times consulted), which can be read when you subsequently visit the site.
MGRS may send cookies when you visit the website or when you register to access an online service.
Cookies in place on the website are only those cookies necessary to the site to allow it to function optimally.
You can refuse or accept the installation of cookies selectively by configuring the browser used by your terminal. You can restrict the use of cookies by modifying your browser settings. You can block them and delete them by using your browser settings, but this may negatively affect your user experience.
Links to other websites/third-party content
If MGRS website includes links to external websites and resources, this does not constitute approval and MGRS accepts no liability as regards the content (or information contained therein) of any linked website.